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ABSTRACT 



Ajgethod.of.operating-a-circuit.such.as.an,integrated.circiiit^ 
carried^onjLplastic£an3Iw^ 

ing-aj-d^llenge~andrgen^ating_a_^ret~rcsponsezto^the 
challenge.using-a-first algoritiHrT which-operates on~at~least 
the challenge -and^aTsecret key__ derived from, information 
relating tonhe~circuit. The challenge^mayTbe generated ^and 
accepted^ri^hlB^rcuit,jwith a ^correspond ing_ challenge 
being„generated_extemally^fjhe^^^ 
challenge jsjgejierAtedjiextejmn t and is-the n 

accepteiby-the-circuit. A token count may.beTstoredjn the 
^ircuit^d~the^ first"re sponse"LS~generated~if L 'a decrement 
command -is succe^fuUylcarTied out prTt^tblceh^u^. 

50 Claims, 3 Drawing Sheets 
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SECURE TOKEN INTEGRATED CIRCUIT 
AND METHOD OF PERFORMING A 
SECURE AUTHENTICATION FUNCTION OR 
TRANSACTION 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

This invention relates in broad terms to the operation of 
a circuit, as a token card, in an access control system, and in 
similar applications. The invention is also concerned with a 
method of performing a transaction on a circuit, and with a 
circuit which can be programmed for a particular service and 
which can be loaded or reloaded with tokens. The invention 
relates specifically to integrated circuits (IC's) for such 
cards, and to IC's which can be used for access control 
encoders operating via various communication media such 
as infrared, inductive coupling, RF or microwave links. 

2. Discussion of the Background 

Existing smart card technology can be divided into 
memory based systems and more complex microprocessor 
based systems. These systems have been applied to different 
applications of electronic money transfer and cash cards. 
The need for an electronic payment medium for high volume 
transactions and relatively low monetary value per transac- 
tion has demanded inexpensive disposable cards. 

The general areas of application of memory based smart 
cards are public telephones, commuting systems, domestic 
energy distribution and vending systems, access control and 
authentication. In these applications the service providers 
usually provide facilities in units of payment. These smart 
cards are therefore referred to as token cards. The cards are 
usually not interchangeable between different services or 
service providers and are programmed for a particular type 
of service and a specific service provider. 

With the rapid growth which is taking place towards 
prepaid cashless transactions, existing token card systems 
are becoming less acceptable due to their limited function- 
ality as well as the lack of built-in security mechanisms. 
Considerations in the usage of token cards are the cost per 
token, the number of tokens which are programmed per 
card, the possible frequency of use and the ease of use. In 
order to keep the cost of token cards as low as possible the 
security, and thus the complexity, of these cards have been 
overlooked. The security aspect has become contentious as 
token card fraud becomes easier with changes in technology. 
An additional requirement in some applications is the ability 
to recharge or reload a card with tokens, a factor which has 
proved to be a major obstacle, 

A so-called link-based token card has been in use for a 
number of years round the world in card -based payphone 
systems. The technology which is used provides the capa- 
bility of an alterable structure on silicon and the tokens are 
implemented as respective intact fuses. 

A card of this type is programmed by an issuer with the 
required number of fuses or tokens intact. One unit of 
service is granted by a service provider after a link or fuse 
has been successfully removed or blown on the card. The 
link-based token card is uncomplicated and cost effective to 
implement. Tokens are represented in a straightforward 
manner. This type of card is compatible with technology 
available a few years ago. Once all the links have been fused 
the card can only be discarded making it impossible to 
reload the card. This prevents illegal reloading. The fusing 
action is usually permanent making the reloading of a 
specific card impossible or at least non-viable. 
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On the other hand a link-based token card does exhibit 
certain disadvantages, particularly in the security area. The 
cards are all the same and no means of identification of a 
specific card exists, rendering service auditing impossible. 

5 Electronic fraud is easy as a valid card can either be cloned 
or transactions can be recorded and replayed between a 
terminal and a valid card. This action is not traceable and 
thus cannot be detected nor prevented. A card cannot be 
blacklisted because the cards are not numbered and so are 

3Q not individually identifiable. 

To limit fraud and add to the functionality of the link- 
based card a secure logic memory chip solution has been 
developed. 

The link-based system has a one-to-one relationship 
between tokens and links, requiring a memory area the 

15 extent of which is directly related to the number of tokens on 
the chip. With the introduction of non-volatile memory it has 
become possible to represent the number of remaining 
tokens in a more compact way. Tokens on a card can be held 
in one or more counters that will only be decremented and, 

20 once exhausted, the card is discarded. The problem remains 
however that the information on the card's IC is in the open 
and can easily be read and used to commit fraud. 

Security related enhancements to this type of IC are 
accomplished by using an IC identification number, secret 

25 codes stored on the IC, and verification data unique to an IC. 
The secure logic memory IC is manufactured in three 
stages, namely the manufacturer stage, the issuer stage and 
the user stage. 

During the manufacturing or the first stage, a card IC 

30 receives a unique identity or serial number. This information 
is stored in PROM-type memory and cannot be altered 
during the lifetime of the IC. This enables transactions 
which are performed using the card to be monitored. 
The card with the IC leaves the manufacturing stage with 

35 a secret batch or transport code stored in non-readable 
memory. In the second or issuer stage the card is placed in 
the issuer mode by successful presentation of the transport 
code. This prevents the manufacturing of unauthorized 
cards. The required number of tokens is now loaded into the 

40 card. The card then enters the third or user stage by blowing 
a fuse, disabling the reloading of tokens. 

A secret derived number is calculated using an issuer 
specific function and the IC or card serial number and is 
stored on the card. When the card is used at a terminal, this 

45 number is calculated by the terminal using the serial number 
to determine if a legitimate card has been presented. This 
offers some degree of verification of the card since the secret 
derived number cannot be changed nor recalculated. 
These cards offer a number of advantages. The number of 

50 tokens on a card is represented in a more compact way 
leaving more silicon area for additional functions. The 
transport code provides protection against the fraudulent 
loading of tokens. Card tracking is possible as each card 
contains a unique serial number and a blacklist can be 

55 downloaded to each terminal, eliminating the use of an 
unauthorized card. The derived card number stored on each 
card makes it difficult to falsify a card as the user cannot 
calculate the derived number from the serial number if the 
algorithm is unknown. 

60 On the other hand these cards do suffer from certain 
disadvantages. Fraud detection and the administering of 
blacklisting facilities can often prove to be impractical. The 
cloning of a card is relatively easy as all the data on the card 
can be read directly. Transaction sequence replay between a 

65 terminal and a card is still possible as the replay and the 
reaction of a valid card cannot be distinguished from one 
another. 
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International standards prescribe the physical format and 
the electronic interface of token cards. Communication 
between a smart card and a reader is via an electronic 
interface. This interface is prescribed by the International 
Standards Organization (ISO) and the standard normally 
applied is ISO 7816. 

SUMMARY OF THE INVENTION 

It is an object of the present invention to provide a method 
of performing a transaction on a circuit, which may be an IC, 
which offers increased security. 

It is a further object of the invention to provide a circuit, 
which may be an IC, for use, for example, in a token card. 

The invention provides, in the first instance, a method of 
performing a transaction on a circuit which includes the 
steps of: 

a) presenting the circuit to a terminal; 

b) transferring a challenge and a decrement command 
from the terminal to the circuit; 

c) implementing the decrement command on the circuit; 

d) if the decrement command has been successfully 
implemented, transferring a response from the circuit to 
the terminal; 

f) if^^j^^^SS^^^S^^r^Ph^r^^a^on^ 

The challenge may include a number which is at least 
partly random, and may include a command or other infor- 
mation. 

The response may be an encoded value produced by an 
algorithm operating on a secret derived key, the challenge 
and other information, e.g. a counter on the circuit. The 
secret derived key may be derived from the circuit serial 
number and an issuer's key. When the memory map or other 
information on the circuit is used along with a challenge, the 
response represents a hashing function, or a form of elec- 
tronic signature, of the information on the circuit. 

The encoding function that is referred to in this descrip- 
tion can be a linear or non-linear encoding function, or an 
encryption function, and may be represented by the equa- 
tion: 

f encode (Secret oi derived key, (serial number or challenge))=en- 
coded information. 

The preferred encoding function is a non-linear function. 
This type of function is often used in the field of cryptog- 
raphy and is usually chosen for its characteristics which 
prevent or at least inhibit the prediction of the input, even if 
the output is known. 

The response may be validated by transferring a serial 
number from the circuit to the terminal, performing an 
encoding function on the transferred circuit serial number 
and on an issuer's key to produce a secret derived key, 
performing an encryption function using the secret derived 
key on the challenge and other information, and comparing 
the encoded output to the transferred response. 

The decrement command may cause the decrementing of 
a required number of tokens on the circuit. The decrement 
command may be regarded as having been successfully 
implemented if the required number of tokens is in fact 
available on the circuit and if the number of tokens is 
decremented in accordance with the decrement command. 

The circuit may be reloaded with tokens by transferring to 
the circuit a derived validation key, comparing the trans- 
ferred derived validation key to a derived validation key still 
on the circuit and, if the comparison is acceptable, opening 
the circuit for the reloading of tokens. 
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The circuit may initially carry a transport code which may 
be specific to an issuer and which permits the issuer to load 
tokens onto the card during an initial stage. The transport 
code may be replaced by the derived validation key to 
5 prevent unauthorized programming or reloading of the cir- 
cuit if the transport code becomes known. 

The invention also provides a circuit which includes: 
storage means for storing a serial number; 
storage means for storing a secret derived key derived 
10 from the serial number, an issuer's key and a first 
encoding function; token counter means; 
interface means for receiving a challenge and a decrement 
command; 

15 means for decrementing the count in the token counter 
means in response to the decrement command; 
means, in response to a successful count decrement, for 
producing an encoded value, from the secret derived 
key, the challenge and a second encoding function; 

20 means for providing an encoded response based on the 
challenge, a key, an algorithm and information on the 
circuit or any subset thereof; and 
means for presenting the encoded value to the interface 
means. 

25 One aspect of the invention provides for a token from a 
circuit to be accepted as valid, the deduction of a token from 
the circuit must be authenticated and the circuit must be 
authenticated. The method of the invention is based on the 
manipulation of a challenge and response procedure and 

30 provides information that a valid token has been securely, 
i.e. successfully, deducted. If the challenge and response are 
correlated then the validity of the circuit is proven and the 
token transaction is accepted. 

In one embodiment the validation process makes use of 

35 the property that the response to a challenge is unique and 
different for each circuit and the relationship between a 
response and challenge is kept secret through a secret key 
mechanism. The possibility of obtaining the correct 
response by chance is kept small by using a large numeric 

40 value for the challenge and the response. An acceptable 
numeric value for the challenge and response consists of 32 
bits, providing a chance which is less than one in four 
thousand million of inadvertently or unlawfully correlating 
the challenge and the response. Also, the challenge must not 

45 be predictable. 

In a particular embodiment of the invention the challenge 
is handled by way of a counter on the circuit. The counter 
runs under control of the terminal either through a synchro- 
nous clock signal or under an oscillator on the circuit. For a 

50 duration from the time it is activated (no activity when off) 
until the terminal signals it to stop, the card may output 
information about the counter status as it is running. 

The advantage of such a challenge mechanism is the ease 
with which the challenge is transferred. An almost unidi- 

55 rectional challenge/response (IFF) system is created i.e. 
from circuit to terminal. 

Another embodiment of the invention provides for a 
challenge to be generated based on the period of activation 
and a response to be output during the next activation. 

60 In a further embodiment the circuit first transmits a 
response and then receives or forms a challenge that is used 
the next time it is activated. However, this mechanism does 
represent some security risk. Between activations the chal- 
lenge information may be stored in non-volatile memory 

65 such as EEFROM or volatile memory with backed up power. 
For access control applications, the response may be 
based on the challenge and a counter (see SA patent No. 
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91/4063; U.S. application Ser. No. 08/01 9821 now U.S. Pat. 
No. 5,517,187) that is related to the number of times that the 
circuit has been activated. 

In more general terms the invention provides a method of 
operating a circuit which includes the steps of accepting a 5 
challenge, and generating a first response to the challenge 
using a first algorithm which operates on at least the chal- 
lenge and a secret key derived from information relating to 
the circuit. 

In one embodiment the challenge is generated, and 10 
accepted, by the circuit, and a corresponding challenge is 
generated externally of the circuit. 

The challenge may be generated by means of counter 
means in the circuit. The counter means may be controlled 
at least partly by means which is external to the circuit. 35 

Alternatively the challenge is generated externally of the 
circuit and is then accepted by the circuit. 

The challenge may include at least one of the following: 

a number which is at least partly random, a command, and 
data relating to the circuit. 20 

The information relating to the circuit may be identity 
information, such as a serial number. 

The method may include the steps of transmitting the first 
response to a terminal which is external to the circuit and, at 
the terminal, of generating a second response using at least 25 
data relating to the circuit, obtained from the first response. 

The second response may be generated by the operation 
of the first algorithm on the challenge and on a second key 
derived at least from the said obtained data relating to the 
circuit. Preferably the second key is derived by the operation 30 
of a second algorithm on the said information relating to the 
circuit and on an issuer's key which is stored at the terminal. 

r \ rie method may include the steps of comparing the 
second response to the first response and, depending an the 
outcome of the comparison, validating or rejecting the first 35 
response. 

When applied to a token transaction, the method may 
include the steps of storing a token count in the circuit, 
issuing a token count decrement command to the circuit, and 
only generating the said first response if the token decrement 40 
command is successfully carried out. 

The invention also provides a method of programming a 
circuit which includes the steps of: 
storing in the circuit a secret transport code which is not 

readable from outside the circuit; 45 
presenting a transport code to the circuit; 
comparing the presented transport code to the secret 
transport code, and, if the presented transport code is 
acceptable, carrying out at least one of the following: 
storing application specific information in the circuit; 50 
storing a token counter value in the circuit; 
storing in the circuit a secret derived key which is derived 
using information specific to the circuit and a user 
defined function; and ^ 
replacing the secret transport code with a derived valida- 
tion key. 

The invention also extends to a method of operating a 
token card which includes the steps of: 

a) on the card, storing a card serial number, a token count 60 
and a first secret key derived from at least the card 
serial number, 

b) at a terminal, storing a card issuer's key, 

c) presenting the card to the terminal, 

d) at the terminal, reading the card serial number, and 65 
issuing to (he card a challenge and a token count 
decrement command, 



e) on the card, if the token count decrement command is 
successfully carried out, operating a first algorithm on 
the first secret key and the challenge to produce a first 
response, 

f) transferring the first response to the terminal, 

g) at the terminal, operating the first algorithm on the 
challenge and on a second key derived from at least the 
card issuer's key and information obtained from the 
transferred first response, to produce a second response, 
and 

h) at the terminal, comparing the transferred first response 
to the second response. 

The invention also provides a circuit which includes 
means for accepting a challenge, and means for generating 
a first response to the challenge using a first algorithm which 
operates on at least the challenge and a secret key derived 
from information relating to the circuit. 

The circuit may include means such as a counter for 
generating the challenge. 

The counter may be at least partly externally controlled. 

The circuit may include means for storing a token count 
and means for receiving a token count decrement command 
and control means for generating the said first response only 
if the token decrement command is successfully carried out. 

The circuit may be provided in any suitable form, e.g. as 
an integrated circuit which may be bonded to a card to form 
a secure token card. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is further described by way of example 
with reference to the accompanying drawings in which: 

FIG. 1 is a block diagram of an I C according to the 
invention, 

FIG. 2 is a block diagram illustrating the operation of an 
IC and a terminal, and 

FIG. 3 is a memory map of an IC according to the 
invention showing memory variables that can be defined and 
altered at manufacturing, issuing and user stages in the cycle 
of the IC. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

Referring particularly to FIG. 1 of the accompanying 
drawings, the IC 1 of the invention includes a memory 10, 
such as a 256 bit non-volatile random access memory 
(RAM), preferably using EEPROM technology. 

FIG. 3 shows a map 12 of the memory area, which is 
divided into sections which include storage 14 for a secret 
derived key 16, storage 18 for a transport code 20 or derived 
validation key 20 A, a lock indicator area 22, storage 24 for 
a manufacturer's code 26, storage 28 for a card serial 
number 30, an area 32 for a token count 34, and an 
application or utility area 36. 

The numbers of bits used for each element are given as 
practical examples in this description. The bit lengths are 
chosen short enough to ensure that the implementation is 
practical to realize, but long enough to be secure for the 
applications for which the invention is intended. 

For this embodiment, the secret derived key 16 uses 64 
bits of memory. The transport code 20 or derived validation 
key 20A uses 64 bits with 16 bits overlapping with 16 bits 
of the secret derived key. The overlapping portion is indi- 
cated by hatching 38. 

The lock indicator area 22 is used to indicate if the card 
is locked for access from outside or not and uses 16 bits. 
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The manufacturers code 26 comprises 16 bits and con- If the correct transport code is presented to the IC then the 

tains a secret code which is used to prevent the issuing of memory area of the card can be accessed. This permits the 

ICs by unauthorized manufacturers. application or utility area 36 to be programmed. The infor- 

The IC serial number 30 consists of 48 bits. mation programmed into this area may be diverse and for 

Hie area 34 consists of 48 bits and stores the number of 5 exam P le ma y relatc t0 a termioal with which the IC <* n be 

tokens issued by an issuer as well as an error correction used, restnet the application of the IC in a particular way, or 

procedure 40, see FIG. 2, that operates on the token counter conlain anv other **P™d information, 

area to ensure reliable token counter operation. The token counter value 34 is also programmed into the 

The application or utility area 36 consists of 16 bits and area 32 - ^ number of tokens depends on the application of 

is used for general IC detail or particulars pertaining to an 30 tDe ^* 

application. Th c secret derived key is calculated by the issuer using the 

Referring to FIG. 1, the IC includes a serial interface 42 IC serial number 30 and a secret function which is defined 

which provides a standard ISO 7816-3 interface 43 to thc IC, b ? tne and then stored - 

consisting of serial synchronous write information to the IC 15 MiGr the imtial use of th e transport code by the issuer a 
or serial synchronous read information from the IC. The new secret value can be stored ^ P lace of me transport code 
interface also includes provision 44 for clock information 20 & the derived validation key 20A. 
for the IC. The user stage follows the issuer stage. Only limited read 
Commands which can be input to the IC via the serial access to ^e memory is permitted. Access to the memory is 
interface 43 include reset e.g. on power up, read from, write 20 not permitted by special circuitry provided on the IC. The 
to, submit transport code to, decrement token on, primary contents of the memory can only be modified by decrement- 
validate and secondary validate. The commands are issued in S lhe token value 34 > or b Y writin S a value 10 the 
conforming to a defined protocol. application or utility area 36. Any other access is restricted 

Hie timing of internal and external electrical signals is t0 the r f adin & ° f th * 00 nteDts of the memor y' e *<^ding the 

controlled by an on-chip oscillator 46. 25 secrcI p denved key 16 J 

Apower-on reset circuit 48 is provided to reset thc circuit Refe ™S to *e left of the serial interface in FIG 2. the 

of the IC at power-on to ensure that the ICs circuits are in IC reade ' or te f m ™ 1 m ?" 6 ™™ ,Csenal " Umb f r reader f • 

a known state when it is activated. The circuit 48 also aD enc ° dm S ^tion 60 of the issuer, a random number 

*u.*ui^- * c iui » . . j generator 62, storage 64 for a derived validation key or a 

ensures that the IC is not functional below a predetermined . j • j , .-j »■ c 

. . 30 SCCTC{ derived key, a validation encryption function 66, a 

pp y * ' . - . . . . comparison module 68, storage for an issuer's key 70, and 

A counter and error correction function is carried out by a command generator 72. 

a module 50. The IC also includes processing means 52 for lU in ■ , , . . . , 4 , ™ . , 

.... t • ™~ When the IC is presented to the terminal the IC s serial 

carrying out a validation encoding function — see FIG. 2. . aft • i u «u a so • *u , 

^ 7 & .. - A . iL A . r 6 .. ... , • . number 30 is read by the reader 58 in the open i.e. without 

The encoding function that is referred to in this description e tU ir -> i u ; i • i a 

, r r , . « any encoding or the IC s senal number taking place. A 

funclfcm 3 01 ^ ^ 01 80 eDCryPll0D derived validation key or secret derived key is calculated by 

the terminal using the serial number, the issuer's key 70, and 

FIG. 2 is a block diagram illustrating the operation of the thc cncoding mnction 6 0 stored in storage 64. 

IC in conjunction with a IC reader or terminal. The serial Commands are issued to the IC via the module 72. 

interface 42 of the IC is positioned on a center line of HO. Commands can consist of but are not limited to, a validation 

2. Components to the left of the senal mterface are assoc.- command a loken decrement CO mmand or read card serial 

ated with the term.nal while the components on the nght ot nun)ber At the 

same time a random number 74 

the serial interface are associated with the IC. produced by the genmtor ^ ig transferred t0 the IC 

In FIG 2 like reference numerals are used to indicate Reference is made particularly to the situation in which 

itemswhicharesimilartothecorrespondingitemsdescnbed 45 tne command from the ffiodule 72 is a token decrement 

in connection with FIGS. 1 and 3. command. The decrement command can be a coded bit 

The life cycle of an IC consists of three stages namely the str jng that can be decoded by the control 56 to enable the 

manufacturer, issuer and user stages. chosen action. The control 56 issues a command to a token 

During the manufacturer stage access to the memory of decrement unit 76, to decrement the token count stored in 

the IC is provided by special physical access controls as well 50 the token counter 34 that forms part of the memory 10. If this 

as access protection on the IC itself. The access controls are function is carried out successfully, and this implies that the 

typically realized by probing special contacts directly on the required number of tokens are present in the token counter 

circuit. The IC serial number 30 and the manufacturers code 34 and checked by the control 56, the validation encoding 

26 are programmed into the IC. The secret transport code 20 function is implemented by the validation encoding function 

is also programmed into the IC. This code is not readable 55 52 operating on the secret derived key 16 and the challenge 

from outside the IC after this stage. The secret transport code or random number 74. The token counter 34 decrements the 

is used to identify a specific issuer. The secret transport code token count. The response 78, produced by the validation 

is protected by the electronic circuits of the IC. encoding function 52 and controlled by the control 56, is 

While in the issuer stage, application specific information supplied through the serial interface 42 to the comparison 

is programmed into the IC. Application specific information 60 module 68. If an insufficient number of tokens are present, 

relates to the specific application that the IC will be used for, the IC either does not respond or responds with an invalid 

for example a specific type of vending machine. To activate response 78. The other input to the comparison module 68 

the programming the correct corresponding secret transport is the output of the encoding function 66 operating on the 

code must be presented by the issuer to the IC. The presented secret derived key 64 in the terminal and on the challenge 

transport code is compared with the stored transport code 20 65 74. 

using a compare function 54. Access to the memory area 12 Commands from module 72 to control 56 can consist of, 

of the IC is protected by a control access function 56. but are not limited to a validation command, a token 
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decrement command or read card serial number command. the appended claims, the invention may be practiced other- 
There commands are encoded and transported through the wise than as specifically described herein, 
serial interface 42. What is claimed as new and desired to be secured by 

The operation of the encoding function 60 on the issuer's °[ the United States is ! . L . , , , 

key and the IC serial number, which is unique to the IC s 1. A method of operating a circuit which includes the steps 

i . , , . j ■ ii i ■ i i ii of accepting a challenge and a command, generating a first 

reader terminal, produces a secret derived key which should . .i_ L n a . i 4 i_ i_- i_ 

...... f u . i • j i ,/ • t . tp tl response to the challenge using a first algorithm which 

be statical to the secret derived key 16 in the IC The ^ 0Q a , ^ ^ ^ * and a ^ fc derived 

encoding functions 52 and 66 are identical and thus, for a fr F om infcriMUon relating to the circuit and generating the 

valid IC, the encoded output or the function 66 should be firs , fe . tf , he command 

is successfully carried 

identical to the response 78. 10 out 

The token counter value on the IC is error corrected by the 2. A method according to claim 1 wherein the challenge 

error correction function 40. This ensures that errors are ^ generated, and accepted, by the circuit, and a correspond- 

corrected during an IC transaction to improve the reliability j ng challenge is generated externally of the circuit, 

of token storage. For example an error may have arisen 3. a method according to claim 2 wherein the challenge 

during a previous transaction in that there might have been ^ generated by a counter means in the circuit, 

a power failure or the IC may have been removed from the 4. a method according to claim 3 wherein the counter 

terminal before the previous transaction was completed. means is controlled at least partly by means which is 

The IC reader thus calculates a predicted response for the external to the circuit. 

IC by using the challenge value 74 and the secret derived 2Q 5. A method according to claim 1 wherein the challenge 

key in storage 64. The predicted response is compared to the is generated externally of the circuit and is then accepted by 

IC response 78. If the two values match the IC and the the circuit. 

transaction are accepted as valid. If no match is found the IC 6. A method according to claim 5 wherein the challenge 

is rejected. If no tokens exist on the IC then the IC does not includes at one of the following: 

respond and the transaction is cancelled. 25 a number which is at least partly random, a command, and 

Information can be included in the challenge value 74. data relating to the circuit. 

Thus the challenge value can be totally random but alter- 7. A method according to claim 1 wherein the information 

natively can be partially random with the remainder of the relating to the circuit is circuit identity information, 

value being used to convey information, to the IC, for any 8. A method according to claim 1 which includes the step 

desired purpose. This information can for example be used 30 of transmitting the first response to a terminal which is 

for token value confirmation. external to the circuit. 

On the other hand the IC which is being challenged can 9 * A method according to claim 8 which includes the step, 

also replace a portion of the challenge with information or al tne terminal, of generating a second response using at 

a command value before feeding it through the algorithm or least data > relatin S t0 tne circuit > obtained from the first 

encoding function 52 to generate the response 78. The 35 response. 

device that originated the response can then do the reverse 10 A melhod according to claim 9 wherein the second 

algorithm (decoding or decryption) to verify that the result- response is generated by the operation of the first algorithm 

ant value corresponds to part of the challenge. If it corre- on thc challenge and on a second key derived at least from 

sponds it could then accept the other part as valid informa- tne said °° ta ined data. 

tion or a valid command. This mechanism can be usefully 40 11 A method according to claim 10 wherein the second 

implemented with IC card systems, as well as other appli- ke V » derived the operation of a second algorithm on the 

cat j ons said information relating to the circuit and on an issuer's key 

. . . . , tL , , which is stored at the terminal. 

In one respect the operation of the system can be sum- M . , t .. n iU 

■ j c 11 ti. . • 1 / u 11 . .u 12. A method according to claim 9 which includes the 

manzed as follows. Thc terminal presents a challenge to thc t c tU & , . *u c . 

T „. j u j j • •. . *u 1^ steps of comparing the second response to the first response 

IC by generating a random number and sending it to thc IC. 45 K , J. * c a. • e 

. r • * * . . and, depending on the outcome of the comparison, of 

The IC transforms this chaUenge into a unique response, * flr * ^ ^ ^ 

us.ng an algorithm, only if the desired number of tokens is u A method J acco £ ing to claim T wnich includes lhe step 

available and only after these tokens have been successfully r ♦ • . 1 ♦ * .1. 

,, 4 , f •* j/ of storing a token count in the circuit, 

deducted from the token counter. The response is returned to AA A 0 4 , , , t . , . . . , . iU 

t , 10 , , . 1 . j u- u • *n 14. A method according to claim 13 which includes the 

the IC reader and is correlated with a response which is 50 . f 4 . , . & , , . , . 

.... . , , ™ .„ . ,^ , steps of accepting a token count decrement command and 

predicted by the card reader. The IC and the IC reader use f .if c . -c .u . 1 j 

f. , f • • . .1 1 . ,1 1 ' ( i only genera ting the said first response if the token decrement 

the secret derived number as the key to the algorithm. j ■ en • j 

J b command is successfully carried out. 

If the correlation is successful the validity of the IC is 15 A method according to c i a i m i wherein the circuit is 

proven and the token transaction is accepted. an { ntegra ted circuit. 

The aforementioned mechanism is different from a design 16. A method according to claim 15 wherein the inte- 

where an IC is authenticated with a challenge and response grated circuit is carried on a card. 

action which is not directly linked to the successful dedue- 17. A method of programming a circuit which includes the 

tion of tokens. steps of: 

The IC referred to hereinbefore may be provided in any 60 storing in the circuit a secret transport code which is not 

suitable way and, particularly for token card use, on a plastic readable from outside the circuit; 

or similar card. Also, although the invention has been presenting a transport code to the circuit; 

described with reference to an IC, the foregoing principles comparing the presented transport code to the secret 

can be embodied in any appropriate circuit. transport code and, if the presented transport code is 

Obviously, numerous modifications and variations of the 65 acceptable, carrying out at least one of the following: 

present invention are possible in light of the above leach- storing application specific information in the circuit; 

ings. It is therefore to be understood that within the scope of storing a token counter value in the circuit; 
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storing in the circuit a secret derived key which is 28. A method according to claim 26 which includes the 

derived using information specific to the circuit and stop of accepting the card and the token transaction as valid 

a user defined function; and if the transferred first response is successfully compared to 

replacing the secret transport code with a derived the second response, 

validation key. 5 29. A circuit which includes means for accepting a chal- 

18. A method according to claim 17 wherein the infor- lenge and a command, means for generating a first response 
mation which is specific to the circuit is a serial number. to the challenge using a first algorithm which operates on at 

19. A method of operating a circuit which includes the least the challenge and a secret key derived from informa- 
steps of: tion relating to the circuit, and means for generating the first 

presenting the circuit to a terminal, accepting a challenge io response only if the command is successfully carried out. 

and a command, generating a first response to the 30. A circuit according to claim 29 which includes means 

challenge using a first algorithm which operates on at for generating the challenge. 

least the challenge and a secret key derived from 31. A circuit according to claim 30 wherein the challenge 

information relating to the circuit, and generating the generating means includes counter means, 

first response only if the command is successfully 35 32. A circuit according to claim 31 wherein the counter 

carried out. means is controlled at least partly by means which is 

20. A method to claim 19 wherein the challenge is external to the circuit. 

generated, and accepted, by the circuit, and a corresponding 33. A circuit according to claim 29 wherein the challenge 

challenge is generated by the terminal. includes at least one of the following: 

21. A method according to claim 19 wherein the challenge 20 a number which is at least partly random, a command, and 
is generated by the terminal and is then accepted by the data relating to the circuit. 

circuit. 34. A circuit according to claim 29 wherein the informa- 

22. A method according to claim 19 which includes the tion relating to the circuit is a serial number. 

stop of transmitting the first response to the terminal. 35. A circuit according to claim 29 which includes means 

23. A method according to claim 22 which includes the 25 for transmitting the first response to a terminal. 

step, at the terminal, of generating a second response by the 36. A circuit according to claim 29 which includes means 

operation of the first algorithm on the challenge and on a for storing a token count. 

second key which is derived by the operation of a second 37. Acircuit according to claim 36 which includes means 

algorithm on the said information relating to the circuit and for receiving a token count decrement command and control 

an issuer's key which is stored at the terminal. 30 means for generating the said first response only if the token 

24. A method according to claim 23 which includes the decrement command is successfully carried out. 

steps of comparing the second response to the first response 38. Acircuit according to claim 29 which is an integrated 

and, depending on the outcome of the comparison, of circuit. 

validating or rejecting the first response. 39. Acircuit according to claim 38 wherein the integrated 

25. A method according to claim 19 which includes the 35 circuit is carried on a card. 

steps of storing a token count in the circuit, issuing a token 40. A method of operating a circuit, the method including 

count decrement command from the terminal to the circuit, the steps of: 

and only generating the said first response if the token programming a token counter; 

decrement command is successfully carried out. programming a serial number; 

26. A method of operating a token card which includes the 40 ^ ^ ^ ^ ^ ^ ^ ^ g 

sle P s of: the secret key; 

(a) on the card, storing card semi number a token count submitling a cha u enge and a command to the circuit; 
and a first secret key derived from at least the card . 

serial number- circuit responding to the challenge in a secret manner 

. t . ' . , . , . 45 using at least one of the following: 

(b) at a terminal, storing a card issuer s key; ^ 

(c) presenting the card to the terminal; the secret j^y. 

(d) at the terminal, reading the card serial number, and an encoding algorithm; and 
issuing to the card a challenge and a token count information relating to the circuit; 
decrement command; 5Q executing the command; and 

(e) on the card, if the token count decrement command is producing a response that is evaluated to present an 
successfully carried out, operating a first algorithm on indication of validity. 

the first secret key and the challenge to produce a first 41, ^ method according to claim 40 which includes the 

response; steps of including in the challenge a command and a count, 

(f) transferring the first response to the terminal; 55 deducting the count from the token counter, and calculating 

(g) at the terminal, operating the first algorithm on the a response using the new token counter value, 
challenge and on a second key derived from at least the 42. A method according to claim 40 which includes the 
card issuer's key and information obtained from the step of controlling a second counter from a terminal, the 
transferred first response, to produce a second second counter controlling the challenge. 

response; and 60 43. A method according to claim 41 which includes the 

(h) at the terminal, comparing the transferred first step of controlling a second counter from a terminal, the 
response to the second response. second counter controlling the challenge. 

27. A method according to claim 26 wherein the second 44. A method according to claim 40 which includes the 
key is produced by the operation of a second algorithm on step of storing the challenge in memory until the next time 
the card issuer's key and on the card serial number extracted 65 a challenge is submitted to the circuit. 

from the said information obtained from the transferred first 45. A circuit which includes: 

response. means for programming a token counter with a value; 
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means for programming a serial number; 

means for deriving a secret key from the serial number; 

means for storing the secret key; 

means for accepting a challenge and a command; 

means for responding to the challenge in a secret manner 

using at least one of the following: 

the token counter; 

the secret key; 

an encoding algorithm; and 30 
information relating to the circuit; 
means for executing the command; and 
means for producing a response that is evaluated to 
present an indication of validity. 

46. A circuit according to claim 45 which includes means ^ 
for extracting a count from the challenge, means for deduct- 
ing the count from a value in the token counter to produce 

a new token value, and means for calculating a response 
using the new token counter value. 

47. A circuit according to claim 45 which includes means 2 o 
for accepting a count, from a terminal, which controls the 
challenge. 

48. A circuit according to claim 45 produced as an 
integrated circuit, which is bonded on a card to form a secure 
token card. 25 

49. A method of performing a transaction on a circuit 
which includes the steps of: 

(a) presenting the circuit to a terminal; 

(b) transferring a challenge and a decrement command 
from the terminal to the circuit; 



14 

(c) implementing the decrement command on the circuit; 

(d) if the decrement command has been successfully 
implemented, transferring a response from the circuit to 
the terminal; 

(c) validating the response; and 

(f) if the response is valid, accepting the transaction. 

50. A circuit which includes: 

first storage means for storing a serial number; 

second storage means for storing a secret derived key 

derived from the serial number, an issuer's key and a 

first encoding function; 
token counter means; 

interface means for receiving a challenge and a decrement 
command; 

means for decrementing a count in the token counter 
means in response to the decrement command; 

means, in response to a successful count decrement, for 
producing an encoded value, from the secret derived 
key, the challenge and a second encoding function; 

means for providing an encoded response based on the 
challenge, a key, an algorithm and information on the 
circuit; and 

means for presenting the encoded value to the interface 
means. 

♦ * * * * 
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